0

Good Day,

I am creating a webpage that users login called "index.html" which POSTs data to the "home.php" site when the user submits the form from "index.html." Now that I am inside the "home.php" I can retrieve the posted variables, check them against the database and authenticate the user. Once I am in the "home.php" file, I would like the user to issue a GET request to the "home.php" site to display different data. Is there a way to do that and maintain the authentication?

Right now I am getting a notice saying that the POST variables are undefined. (Obviously, since I am not posting anything)

Notice: Undefined index: pass in C:\xampp\htdocs\home.php on line 7

Thanks, Matt

Improve this question
3
  • Are you trying to get $_POST['pass'] in your code? This is a E_STRICT error (I think its classes E_STRICT now). You could lower you error reporting if you really wanted Commented Jun 27, 2012 at 15:36
  • The error message isn't his problem--the fact that he can't access the variables is, if I'm understanding this correctly. Commented Jun 27, 2012 at 15:38
  • That's the even bigger problem, understanding... Commented Jun 27, 2012 at 15:40

4 Answers 4

Reset to default
2

It sounds like you want to use sessions.

See: http://www.w3schools.com/php/php_sessions.asp

See: http://www.tizag.com/phpT/phpsessions.php

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Once you perform your initial authentication check, which would be the form submission and account verification, you should assign the user some form of session token. This is a token that you can verify is authentic that you use for a short-hand verification for subsequent requests. You can create this token a few ways:

  1. Create a simple table to keep track of authorized session tokens and their expiration date. This ensures that only sessions you create are allowed, tied to a single account, and have a guaranteed expiration date.
  2. Create an encrypted token format so the session token is actually an encrypted data container which you can only read on the server side with a private, rotating key. The token would contain information about the user and expiration and eliminate the need for a server side table.

In addition to the basic information for each token it would also be good to include references to the UserAgent and IPAddress of the initial authentication request so you can ensure there is no session hijacking taking place.

Once you create your token you will want to store it in a cross-request location; which can be either a session or cookie variable. This is primarily a preference, but either way, you should ensure it is only accessible from an HTTP request and not a JS request to prevent XSS (cross site scripting). Check out these artickes on sessions and cookies:

Now that you have a token you can use from anywhere in your site you will want to make an authentication handler for each of your pages to check this token and verify it is valid. Once you confirm it is authentic you can use it to figure out which user is viewing the page and what permissions they should have.

Improve this answer

Comments

1

Do this

$pass = isset($_POST['pass']) ? $_POST['pass'] : null;
Improve this answer

Comments

1

You can for example do that :

echo "<form method='post' action='home.php?parameter1=".$variable1."'>";

Then you have both POST and GET variables.

Edit: But I think I misunderstood you, use SESSION variables to persist the authentication through pages.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.